Author: Summer Stratton, Digital Marketing Manager
Have you ever received an email from your boss, a client, or a vendor asking you to do something urgent, like sending money, buying gift cards, or sharing confidential information? Did you notice anything odd about the email, such as a slight misspelling of the sender’s name, a different domain, or a sense of pressure or fear? If you did, you might have been the target of a business email compromise (BEC) scam, one of the most common and costly types of cyberattacks.
What is BEC?
BEC is a type of phishing attack that targets organizations, with the goal of stealing money or critical information. BEC scammers use email to impersonate a trusted person, such as a vendor, a CEO, or a lawyer, and send a message that appears to be legitimate. The message may request a payment, a purchase, a wire transfer, or sensitive data. The scammer may use various techniques to make the email look authentic, such as:
- Spoofing an email account or website. The scammer may use slight variations on legitimate addresses or domains to fool the victim into thinking the email is from a known source.
- Sending spear-phishing emails. The scammer may send personalized emails that look like they are from a trusted sender, and trick the victim into revealing confidential information, such as passwords or account numbers.
- Using malware. The scammer may infect the victim’s computer or network with malicious software that allows them to access legitimate email threads, invoices, or data. The scammer may then use this information to time their requests or send messages that seem consistent with normal business operations.
Who are the targets of BEC?
BEC scams can affect anyone who uses email to conduct business, both personal and professional. Businesses of all sizes and sectors, governments, nonprofits, and schools are all potential targets. However, some roles may be more vulnerable than others, such as:
- Finance or accounting staff who handle payments or invoices
- Human resources staff who have access to employee information or payroll
- Executives or managers who have authority to approve transactions or requests
- Assistants or administrative staff who support executives or managers
- Customers or clients who receive invoices or payment instructions from vendors or service providers
How to prevent BEC?
BEC scams can cause significant financial and reputational damage to businesses and individuals. Therefore, it is important to take proactive measures to protect yourself and your organization from these attacks. Here are some best practices to follow:
- Educate yourself and your staff on how to identify and report BEC attempts. Security awareness training programs can help you recognize the signs of phishing emails, such as urgent requests, unusual instructions, spelling errors, or mismatched domains.
- Use a secure email solution that can flag and delete suspicious emails or alert you that the sender is not verified. You can also block certain senders and report emails as spam.
- Implement multi-factor authentication (MFA) on all your email accounts and other online services that allow it. MFA adds an extra layer of security by requiring you to enter a code or use a device in addition to your password.
- Prevent email typosquatting by registering domains that are similar to your own and setting up alerts for any domain name changes.
- Implement email verification protocols for any requests involving money or sensitive information. You can use phone calls, video calls, or face-to-face meetings to confirm the identity and legitimacy of the sender before taking any action.
- Develop effective security controls for your network and devices. You can use antivirus software, firewalls, encryption, backups, and regular updates to protect your data and systems from malware and unauthorized access.
- Limit public display of personal or professional information on social media or other online platforms. Scammers may use this information to research their targets and craft convincing emails.
Conclusion
Business email compromise is a serious threat that can cost businesses and individuals millions of dollars and compromise their security and reputation. By following the tips above, you can reduce your risk of falling victim to these scams and protect your assets and information. Remember: always verify before you trust.